Minutes - Linux Kernel Developers' Netconf 2014

  David Miller
Soyoung Park
Stephen Hemminger
Jeff Kirsher
John Fastabend
Herbet Xu
Eric Beiderman
Tom Herbert
Eric Duzamet
Scott Feldman
Rusty Russell
Jamal Hadi Salim
Pablo Neira Ayuso
Anna Schumaker
Florian Fainelli
Hannes Frederic Sowa
Eric W. Biederman
Chris Wright
John Linville
Johannes Berg

  • Introductions

  • SCTP consolidation with generic infrastructure.
    - Lower Arnaldo's generic infrastructure work to SCTP some more.
    - Who uses associations?
    - Does not use inet hash
    synchronize RCU, which is in recent merge w/ dynamic lookup done
    Conversion of ehash tables to rhashtables

  • eBPF
    - 64-bit opcodes, LLVM --> C backend, more than networking
    - pushback(code & design reviews needed on community level)
    - load arbitrary pointers(security concern)
    - LLVM backend
    - useful for tracing

  • Pablo Netfilter Workshop report
     - http://workshop.netfilter.org/2014/wiki/index.php/List_of_presentations
     - Conntrack removal, Jesper
     - OVS replacing bridging, shemminger
     - 10GB/s wirespeed, Jesper
     - DPDK (concerns: sharing IP and port space with normal stack)
       + take another look at netchannels
       + people think userland development is "easier"
    - offloads between hardware such as switches, software and vm layers
     - nftables, compatibility layer, multidimensional keys - Pablo/Patrick
     - OVS w/conntrack - Jesse Gross

  • Tom Herbert - Offloading Encapsulations
     - non-virtualization (GRE, source routing) vs. virtualization (vxlan, nvgre, etc.)
     - UDP encapsulation ubiquitous
     - Avoiding deep packet inspection for flow steering
     - Idea: Set source port to hash of inner packet
     - checksum offloading
       + multiple checksums in single packet (IP->UDP->GRE->IP->TCP)
       + Switch vendors want to avoid UDP checksums
       + Receive checksum overhaul
         - CHECKSUM_COMPLETE(always works) vs. CHECKSUM_UNNECESSARY(stack allows two levels)
         - Most NICs can provide checksum unnecessary for UDP packets
         - if checksum is non-zero, derive checksum complete when processing UDP packets
         - after conversion, any encapsulated checksums is verified by using skb->csum
       + TX checksum offloading
         - one checksum easy, for two stack and NIC do not support
         - Remote Checksum Offload
           + Checksum only outer UDP packet on TX
           + like normal checksum offload except it's deferred to peer
           + Deduce both csums on receive
         - 2 or more checksums
           + outer packet and inner transport packet
           + stack and NICs do not support
           + Alternative: Remote Checksum Offload
     - GRO after GRE decap
     - TSO/GSO
      + Partially generic support
      + works as long as no per-segment values reside in encap header
        (such as sequence numbers, packet lengths)
     - TSO/LRO to guest driver
      + Tx guest uses TSO interface, host kernel converts to TSO/GSO
      + On Rx, host probably uses GRO, converts to LRO to guest device

  • Johannes Berg - Wireless
     - ARP Proxying
       + Power and air time saving
       + Snoops DHCP, ARP, NS/NA frames.
       + Implementation location: generic networking vs. bridge
     - L2 Traffic Inspection and Filtering
     - Wireless traffic bound for wireless medium currently forwarded
       internally by 802.11 layer.  Will have to change in order to
       implement snooping for things like ARP proxying
     - GTK protected traffic(L3 unicast in L2 multicast), RFC 1122 broadcast check
       + since all stations share GTK key, any station can send multicast
         GTK protected frames to anyone and appear to be the AP.
       + thus frames containing L2 unicast in L2 multicast packets, which
         are GTK protected, should be dropped
       + RFC 1122 mandated rules on receive should already disallow this but
         seem to be simply not implemented in ip_route_input_slow() yet.
       + Alternatively, parse L3 in wireless stack (or even in iptables rules?)
       + Previous attempt at using an skb bit "drop_unicast" reject by Eric

  • Jamal Hadi Salim - Network Function Offloading
     - Use/support existing tools(nftables/iptables, iproute2, route/ifconfig...)
     - Linux APIs, netlink, etc., no vendor APIs/SDKs
     - Bridging/switching, QoS, IPSEC, L3 forwarding, stateless ACL
     - Capability probing becomes necessary due to disparate set of features
       and capacities (TCAMs etc.)
     - How vs. Network centric view of the worls
     - Challenge1: design toward generic framework that will cater each drivers
    - Challenge2: limited open source drivers - Challenge3: unresolved driver support issues get spilled to the userspace for kernel to support as openwrt guys' open drivers
     - QEMU virtual device coming soon so that prototyping is possible
       of userspace
    - on-going discussions: https://linux.cumulusnetworks.com/offload-discussion-1/

  • David S. Miller - VLAN offload limits
     - HW decap stored in SKB
     - multiple HW decaps possible?
     - --> no
     - Want consistent handling of multiple tags

  • Bonding
     - very modular
     - locking is a lot cleaner
     - smaller code base
     - Where are with bonding and offloading?

  • Eric Dumazet - IP VLAN
     - Like MAC VLAN, but decapsulating on IP address
     - supports ipv4 and ipv6

  • David S. Miller - send batching
     - ->ndo_start_xmit() takes one SKB at a time
     - Extend to be able to queue multiple SKBs at a time
     - Amortize the number of "trigger" events (writes to "TX start"
       register, or calls into hypervisor)
     - Transition path is important, there are 400+ implementations
       of ->ndo_start_xmit()
     - Add ->ndo_xmit_flush() op
     - If implemented, semantics are that it must be called after
       a sequence of ->ndo_start_xmit() invocations.  The implication
       is that ->ndo_start_xmit() does not kick the TX queue to
       start processing the newly queued up SKBs, that's what the
       new ->ndo_xmit_flush() operation does.

  • Misc
     - Batching of "same routing keyed" packets on RX to amortize
       routing lookups, perhaps similarly on TX.
     - TPACKET_V4, generically exporting RX ring into userspace.
       Header will have description of RX queue descriptor format.
       Should work on Intel, Mellanox, Solarflare NICs